wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

09/11/2024, 01:48

241109-b8bfnsxkgr 10

09/11/2024, 01:46

241109-b7asratmfs 10

08/11/2024, 23:02

241108-21j1yssaln 10

Analysis

max time kernel
112s
max time network
113s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08/11/2024, 23:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAA0D.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAA24.tmp	WannaCry.exe

Executes dropped EXE 8 IoCs

pid	Process
4492	WannaCry.exe
1780	WannaCry.exe
1560	WannaCry.exe
4564	!WannaDecryptor!.exe
5980	WannaCry.exe
3020	!WannaDecryptor!.exe
952	!WannaDecryptor!.exe
4828	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\503a9f77-6124-488b-8371-3e5464f96afe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108230319.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2560	taskkill.exe
3680	taskkill.exe
4056	taskkill.exe
2328	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
1812	msedge.exe
1812	msedge.exe
744	identity_helper.exe
744	identity_helper.exe
1508	msedge.exe
1508	msedge.exe
5200	WMIC.exe
5200	WMIC.exe
5200	WMIC.exe
5200	WMIC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5200	WMIC.exe
Token: SeSecurityPrivilege	5200	WMIC.exe
Token: SeTakeOwnershipPrivilege	5200	WMIC.exe
Token: SeLoadDriverPrivilege	5200	WMIC.exe
Token: SeSystemProfilePrivilege	5200	WMIC.exe
Token: SeSystemtimePrivilege	5200	WMIC.exe
Token: SeProfSingleProcessPrivilege	5200	WMIC.exe
Token: SeIncBasePriorityPrivilege	5200	WMIC.exe
Token: SeCreatePagefilePrivilege	5200	WMIC.exe
Token: SeBackupPrivilege	5200	WMIC.exe
Token: SeRestorePrivilege	5200	WMIC.exe
Token: SeShutdownPrivilege	5200	WMIC.exe
Token: SeDebugPrivilege	5200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5200	WMIC.exe
Token: SeRemoteShutdownPrivilege	5200	WMIC.exe
Token: SeUndockPrivilege	5200	WMIC.exe
Token: SeManageVolumePrivilege	5200	WMIC.exe
Token: 33	5200	WMIC.exe
Token: 34	5200	WMIC.exe
Token: 35	5200	WMIC.exe
Token: 36	5200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5200	WMIC.exe
Token: SeSecurityPrivilege	5200	WMIC.exe
Token: SeTakeOwnershipPrivilege	5200	WMIC.exe
Token: SeLoadDriverPrivilege	5200	WMIC.exe
Token: SeSystemProfilePrivilege	5200	WMIC.exe
Token: SeSystemtimePrivilege	5200	WMIC.exe
Token: SeProfSingleProcessPrivilege	5200	WMIC.exe
Token: SeIncBasePriorityPrivilege	5200	WMIC.exe
Token: SeCreatePagefilePrivilege	5200	WMIC.exe
Token: SeBackupPrivilege	5200	WMIC.exe
Token: SeRestorePrivilege	5200	WMIC.exe
Token: SeShutdownPrivilege	5200	WMIC.exe
Token: SeDebugPrivilege	5200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5200	WMIC.exe
Token: SeRemoteShutdownPrivilege	5200	WMIC.exe
Token: SeUndockPrivilege	5200	WMIC.exe
Token: SeManageVolumePrivilege	5200	WMIC.exe
Token: 33	5200	WMIC.exe
Token: 34	5200	WMIC.exe
Token: 35	5200	WMIC.exe
Token: 36	5200	WMIC.exe
Token: SeBackupPrivilege	5312	vssvc.exe
Token: SeRestorePrivilege	5312	vssvc.exe
Token: SeAuditPrivilege	5312	vssvc.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
952	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4564	!WannaDecryptor!.exe
4564	!WannaDecryptor!.exe
3020	!WannaDecryptor!.exe
3020	!WannaDecryptor!.exe
952	!WannaDecryptor!.exe
4828	!WannaDecryptor!.exe
952	!WannaDecryptor!.exe
4828	!WannaDecryptor!.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4588	1812	msedge.exe	81
PID 1812 wrote to memory of 4588	1812	msedge.exe	81
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 4408	1812	msedge.exe	82
PID 1812 wrote to memory of 3652	1812	msedge.exe	83
PID 1812 wrote to memory of 3652	1812	msedge.exe	83
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84
PID 1812 wrote to memory of 4464	1812	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffce89046f8,0x7ffce8904708,0x7ffce8904718
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b9255460,0x7ff6b9255470,0x7ff6b9255480
    3⤵
    PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 55311731107060.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1356
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4056
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:952
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7f715a5fe530d8fbca20d1d6d22b22d4

SHA1
b1684e0eb0a60f975de8c5267785fda77893f246

SHA256
a2656d55a3cc70a0002df149ea9e8f7d97fb482848cc403f654cd26478574906

SHA512
bd3f440d5ebd0e1138fa4b7f5155c131523052cc92829be2913fe1a989156e87ff6cc7cb36db523736133b9a3f94617a05d7324948c42317f89d0ff1cc4653c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a17d2b5280240b311012394ce305a54b

SHA1
3a157aeb4d8ed75768ee67b684e259fa3c6d1def

SHA256
8742553752a0b51f0f773f0af5804364855a600bad7dfe2e4f17bef3a3a6abd7

SHA512
5be507cbffacbcc226989038025cd6efe64f83d08bded9df157af6ebb4ed0d32f597edfbf699fb52b4996bcfcff67e88d3a64b6784f0234d792e85dc8f4b79a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fd57b1caa1cd886db0bcca132b26d784

SHA1
8a4bc45cf83b7eaf2e524436d09d4e4ac54d5519

SHA256
0a29c877c039716a5e35b45a9de5d23b65e98a5f3921288dd8c5c1805aedbf8e

SHA512
8e34796fc08ee823437b896790fcc7f14bf9e1c6575003cb454703f6bf1896a5bfd14511b1edcca3dc6ccdd22ef8568ae9baae0867d8583d9bd5e587a47e4fe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
2ebbd61422b78463e73114c90d111185

SHA1
96a2a4824b034c487ccfcc08f3d7defa75601565

SHA256
164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab

SHA512
a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe589efa.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9bd6f2c8877bac8f7d3cec35585fc940

SHA1
912fd992b171bfd934bd851c8c54c466c2d7b724

SHA256
9e11a4ddad871d6ce79c81bf00fa056e56431cc8125c91ed0fee6c0714608636

SHA512
539c95e4fad5a824755e5b7d7baac047f66fc2c79df3a843d601407b707aa41d5835f543c1831afc4dbbf073db26313ac2e519a85f000d06fa58163a2a7a1845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93c4f2b61adb51fab40e7485f43006ab

SHA1
e79ee9c6d500f4dd2f3daf7a79fef3ba9f35dc29

SHA256
c495a333182c5c4b3d1f2a881faf62b5b61f617c2c1d3d632c620694b9f6a043

SHA512
e003a977176600b6eaecbb9399e0bd2a2cfcd4246f092dc72d6893903f9eb293a6c94d6e3e93b75a57bdc9a9cb0cc0fd782e43d806de3f0d51652f8bf143adf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
788345753120edbaa966d902e5b7e3a1

SHA1
5bc773886598517b3b3f14057d1fa44840b05b98

SHA256
88118cccb839f42d8e1bccf856660fd580f39d34cf8c1a4dce5be031a7509cb4

SHA512
ad062fb4a10d1a1b31b3ca4571fe6ee93c40c09a90cd75eb3df6df979f995167a5b26687a040e0c6181d6123c4ce6f8b596a924694fa1b4096c422de59660fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcab1883cb97a50dadba0a32f6425544

SHA1
6a6b5851b53608762d208f57ad337854a1f63aae

SHA256
99f511479000b9245891ac3146c59767c3bb9a95f2a7739356c89a1fe0e4a15e

SHA512
b74171b3c53885d0884339360a41f21fe834404196d58d887b15b590264df88bc6b9dd92fbf6486ab59d210de787315c62fa976bee024fcfc57b8080593ef556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b785446424f1f0e03f67e352bf3ca82e

SHA1
a6ef75498f5726ae96b65c28929492f533cd7987

SHA256
7d496c646fa3af00e9d6bba71660dcc21979b3f7d4139e21dd1a46a2c641d5a1

SHA512
5359ce0acffc563547271cf7fa0ea1a836f75b3ae9d865b3aa4066397ecb8f6fa0bc4b3c72862d1e02f6ab4aadbc36527e9eaf3e6fc24f1f42451b57bc7b349d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47a0414a12152f7659c40d47ef72c0c3

SHA1
a8a670dacb695003dd64f0e0285d26b7f644d3c8

SHA256
6766420537effd246c2764bdee0e60c6d5a398c7290979dc3d06a1b704f52386

SHA512
4cbb22970611be3f95a615890849ac81ed550e3fcc1a16879d3da18331afae89adbacb4cd49d5458dded28283800958e04f053f2db9bb2acfe63b84b29a134ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
955a6d3cc9ff6eb29a022c3278ea31a2

SHA1
cfd9e0490a91e5e5fef525688ceb74f95ad539e2

SHA256
fa1535aa851c31050e84540c6598da16c58c05f8fb8545d4da005cd7c1352229

SHA512
0b499662744960f0627eab748747e80643bf1174fbce28df3ffb98805feaf76055b890c738ec7527c5eef2a384c4c8cee2b8c70938a6ca75bf547b574a5e1a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e122fc93c0ad25d45d09ba51a3e86421

SHA1
bb52a7be91075de9d85f4a4d7baeecc3167c871b

SHA256
a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee

SHA512
12787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e166cffa7bae9dfb43d0b33755d1af3

SHA1
6b769b87d7bd6cee6c80b0f06b4a1a884c5f277f

SHA256
12d1b4d4d43ef3bab43478e3daf651f7321565bd935e9d24bc8104e059cc4bba

SHA512
be69d80eb81436c3425ffffb0fe70945f1e8601ad33223ef839370466d98da60676cfcc63b919319d06a97dbab323d2124c46ece2c48c7983eedb3684d0b75ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f1e3783be5e66308e17e958a7d68e915

SHA1
6e5c92091bd32a3f07690685387c7f5b02a1d49b

SHA256
80d4138b383eb8ec3eb419389f7da3bebd07a9e474f01ce3e2c9f6c821972883

SHA512
01bdcb5f42fd4014e3f025666749a3f60c014b9204306341b8f649d6e0e65b2c391b35a165fb8958e33b028b49b55f7f3829bf6e24e0d2b67cf5c3b0d4925e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06f1237fe24181572535a22b5129b215

SHA1
9401268ffbaba87e4c983e30188b165c62ddab75

SHA256
f93c713f1f937b7680cbc2eb59a26403f046da288fced07f06b829c082b9c018

SHA512
a1eee622c5ab338e294e1edba7c6fe6e1652731ef0a197b5c52edad9a34301d5570c59ce119d3f5a6e335305d4018aedfd9c004fce02df3e15254a5cb82b5ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5821fa.TMP

Filesize
874B

MD5
a9ec912d733c7193f46ba48c3b5b1218

SHA1
86091e72b7de5966eaa89dde2d4c68f0a95ecd2b

SHA256
23029ceb56da7b7def2b659705129bd61fda07fbb91105cd8f8d9d1331674f6c

SHA512
93ce962f092796d2ab7c83a4c7dc92a725712644e092d881712b2cd611fc63e15837c637253b05a2a8cd724606d91786158ac015d4aef8a2188350c1ed475d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a421587e31a9728f80feaeddbd599e0b

SHA1
003548b0ca3c16b94148156e805b30b742577927

SHA256
590b83e06255dbeac0da10ad93e3a2bc509ad6a2526c080007a907c414f47015

SHA512
819a7cce137b16fc82ed2a41f80d3a904d67877ed777f7188265798c52af033022fbda2276d726dadf103bcd74a70348453ae871c6a52938bc6a617d54b4df3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
398e43655800dda53eeac1511d605271

SHA1
4d466f0eb6f29a4dfad003e1e090c081b6e20644

SHA256
550401254fa4218c460976f6aedb858f66119247a80b49846f027b2c929733f7

SHA512
459333aab7cf9bb500da4e1ce69fa05dfbb17244ce56dc64ec5916fd2e5ae12a785350569938a41d58dd90cec7bcf3a24cb91a16a81722f5d35fac696f984f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
531e2c9e7ca686ef439795e17fab1fe6

SHA1
03d67a76471d7fb9dc1ca16d24717c3aee71a5da

SHA256
67388c534e5552556bd165d20bea2cee19cb85672467fb64a37fcfdfa51af2b0

SHA512
4945778f2a091e650c677df799749505aee9b0d7579eaa55dda47f19296863cc77e08ff3fe2f9256cbd42bb3706b2342cfaf5e9794a9253e4742d82ebcfc8c41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
47d80556a68205dc796ecb40b628947d

SHA1
7ba8760a8e8b374dcbe45dd8aaa7c7c57506381e

SHA256
44f32a2fff0c65468636a00a558e11ffbfb9457806ca8a41bdd3914b085894bc

SHA512
f5696b8f4c88db6b04fb8a00c7fd48657702d7f0ef7de08424d42b8b4770fe7dbdc4de609bfc76d3b8bf3a2a5d4df5987834916816b4199f63dac086585ae16b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
914052e72febad30945cd86d96752ed9

SHA1
0e53d2b4c13421f946b2cd3c91ae36c2a146121f

SHA256
3aa4ff7aa06daa1d54ee179c7440e21af51220d537b7a3e5f11ead18ed2d7e1b

SHA512
285894766ac08223e836214724b3fc8b605c83e05050ec2d0b7854c6d5cc41544a35c6fd5abab324e1d46bc45f38605894a7181c15c129dd5c380eceed08bd57

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
d69c75842feaf1d8f4e4ac8f5ce8e684

SHA1
b8baa5d3b51f041cbc9e0971bab9afeda3e3cb8e

SHA256
443023780623143c406917d9166dbfaaca42668594c811679ae7bce72d2ec3b4

SHA512
b253c8a4e90d94d300cd84892a15d5773d272feefb4cb69b4819d93f6c2baf6d754b3cec9d9cd702b91241772ad8acd5bce2bba30623160fb5c5a3ffeed7197d

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
bfbfb4d71530024288d442856327b888

SHA1
996365373ba46a16e3e7f10f91abc4e606cc0ac5

SHA256
f1575375209ade3c928b2e964e26c5f74e7f7dce737f04f1738ad19ffd7eb3a8

SHA512
82ceb7b63c9032100bb1fff715ca61a7e84db2bc762181bfb6e4e5aec779c177477ffe2c357c76a6957f957aeaf990e76339472e0d7606755323bc11334f9963

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
91a22e1f8f7397f7bc43f9d66949daaa

SHA1
8ccefac7525a9ebf5e4c85996445148581a88cf9

SHA256
9fbbd348b0b67445f34ebacb85964c921f9ebb512ffabfb8dd6f18437cf4cf86

SHA512
bd643736ece3d69b089445c0f5c027acc17db02e6a4550a5674c9af0124e38767d2798afd3427f678be2e31ce7655c3149c90ab2f59c9b8da366a06afc43a6cf

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
e54b9050e4c7c96b7f0b7b7010a122b4

SHA1
90cf6cfb9406860efa56f4b632e9ca0cc7d9b185

SHA256
64c1c61b6333bb5e9c1d1c1c5bbaaac6c7b55f1af5c724cad82e02d1369c731c

SHA512
0cbdbec93c49b65816607604a70db7f6e0e2f2c3fa1fc3d0a251666e9f664b28cdc8e28bd4855a0fce4e497623047539177b28ee0156205009081327ce8149ea

Download Submit
C:\Users\Admin\Downloads\55311731107060.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 254923.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
527d7410defeaad7402f8a10e3c70382

SHA1
ac9de5313a67c746760eecfbe0442247c8680a5a

SHA256
e24f61a764a2522c04e7131b0eb76ccb3ee17a31aee5c067dd436cfd59bb93d5

SHA512
01d5824c73f811808ad208dc1b8e00d8ab7cff74277c675fb3a30567cf7e1156bff8c598c364b5db500353d426dfd8010f0eb5aab1304656516aeb526511e1b5

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4492-460-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download